pypomes-iam 0.2.5__tar.gz → 0.2.7__tar.gz

{pypomes_iam-0.2.5 → pypomes_iam-0.2.7}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: pypomes_iam
-Version: 0.2.5
+Version: 0.2.7
 Summary: A collection of Python pomes, penyeach (IAM modules)
 Project-URL: Homepage, https://github.com/TheWiseCoder/PyPomes-IAM
 Project-URL: Bug Tracker, https://github.com/TheWiseCoder/PyPomes-IAM/issues

{pypomes_iam-0.2.5 → pypomes_iam-0.2.7}/pyproject.toml

@@ -6,7 +6,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "pypomes_iam"
-version = "0.2.5"
+version = "0.2.7"
 authors = [
   { name="GT Nunes", email="wisecoder01@gmail.com" }
 ]

pypomes_iam-0.2.5/src/pypomes_iam/common_pomes.py → pypomes_iam-0.2.7/src/pypomes_iam/iam_common.py

@@ -5,41 +5,55 @@ import string
 import sys
 from cachetools import Cache
 from datetime import datetime
+from enum import StrEnum
 from flask import Request
 from logging import Logger
 from pypomes_core import TZ_LOCAL, exc_format
 from pypomes_crypto import crypto_jwk_convert
-from typing import Any
+from typing import Any, Final
+
+
+class IamServer(StrEnum):
+    IAM_JUSRBR = "iam-jusbr",
+    IAM_KEYCLOAK = "iam-keycloak"
+
 
 # registry structure:
-# {
-#    "client-id": <str>,
-#    "client-secret": <str>,
-#    "client-timeout": <int>,
-#    "public_key": <str>,
-#    "key-lifetime": <int>,
-#    "key-expiration": <int>,
-#    "base-url": <str>,
-#    "callback-url": <str>,
-#    "safe-cache": <FIFOCache>
+# { <IamServer>:
+#    {
+#       "client-id": <str>,
+#       "client-secret": <str>,
+#       "client-timeout": <int>,
+#       "public_key": <str>,
+#       "pk-lifetime": <int>,
+#       "pk-expiration": <int>,
+#       "base-url": <str>,
+#       "logger": <Logger>,
+#       "cache": <FIFOCache>,
+#       "redirect-uri": <str>  <-- transient
+#    },
+#    ...
 # }
-# data in "safe-cache":
+# data in "cache":
 # {
 #    "users": {
 #       "<user-id>": {
-#         "access-token": <str>
-#         "refresh-token": <str>
-#         "access-expiration": <timestamp>,
-#         "login-expiration": <timestamp>,   <-- transient
-#         "login-id": <str>,                 <-- transient
+#          "access-token": <str>
+#          "refresh-token": <str>
+#          "access-expiration": <timestamp>,
+#          "refresh-expiration": <timestamp>,
+#          "login-expiration": <timestamp>,    <-- transient
+#          "login-id": <str>,                  <-- transient
 #       }
-#    }
+#    },
+#   ...
 # }
+IAM_SERVERS: Final[dict[IamServer, dict[str, Any]]] = {}
 
 
 def _service_login(registry: dict[str, Any],
                    args: dict[str, Any],
-                   logger: Logger | None) -> str:
+                   logger: Logger | None) -> dict[str, str]:
     """
     Build the callback URL for redirecting the request to the IAM's authentication page.
 
@@ -48,7 +62,6 @@ def _service_login(registry: dict[str, Any],
     :param logger: optional logger
     :return: the callback URL, with the appropriate parameters
     """
-
     # retrieve user data
     oauth_state: str = "".join(secrets.choice(string.ascii_letters + string.digits) for _ in range(16))
 
@@ -61,19 +74,17 @@ def _service_login(registry: dict[str, Any],
     user_data["login-id"] = user_id
     timeout: int = _get_login_timeout(registry=registry)
     user_data["login-expiration"] = int(datetime.now(tz=TZ_LOCAL).timestamp()) + timeout if timeout else None
+    redirect_uri: str = args.get("redirect-uri")
+    registry["redirect-uri"] = redirect_uri
 
-    # build the redirect url
-    result: str = (f"{registry["base-url"]}/protocol/openid-connect/auth"
-                   f"?response_type=code&scope=openid"
-                   f"&client_id={registry["client-id"]}"
-                   f"&redirect_uri={registry["callback-url"]}"
-                   f"&state={oauth_state}")
-
-    # logout the user
-    _service_logout(registry=registry,
-                    args=args,
-                    logger=logger)
-    return result
+    # build the login url
+    return {
+        "login-url": (f"{registry["base-url"]}/protocol/openid-connect/auth"
+                      f"?response_type=code&scope=openid"
+                      f"&client_id={registry["client-id"]}"
+                      f"&redirect_uri={redirect_uri}"
+                      f"&state={oauth_state}")
+    }
 
 
 def _service_logout(registry: dict[str, Any],
@@ -89,7 +100,7 @@ def _service_logout(registry: dict[str, Any],
     # remove the user data
     user_id: str = args.get("user-id") or args.get("login")
     if user_id:
-        cache: Cache = registry["safe-cache"]
+        cache: Cache = registry["cache"]
         users: dict[str, dict[str, Any]] = cache.get("users")
         if user_id in users:
             users.pop(user_id)
@@ -102,7 +113,7 @@ def _service_callback(registry: dict[str, Any],
                       errors: list[str],
                       logger: Logger | None) -> tuple[str, str]:
     """
-    Entry point for the callback from JusBR on authentication operation.
+    Entry point for the callback from JusBR via the front-end application on authentication operation.
 
     :param registry: the registry holding the authentication data
     :param args: the arguments passed when requesting the service
@@ -115,7 +126,7 @@ def _service_callback(registry: dict[str, Any],
     result: tuple[str, str] | None = None
 
     # retrieve the users authentication data
-    cache: Cache = registry["safe-cache"]
+    cache: Cache = registry["cache"]
     users: dict[str, dict[str, Any]] = cache.get("users")
 
     # validate the OAuth2 state
@@ -138,7 +149,7 @@ def _service_callback(registry: dict[str, Any],
             body_data: dict[str, Any] = {
                 "grant_type": "authorization_code",
                 "code": code,
-                "redirect_uri": registry.get("callback-url"),
+                "redirect_uri": registry.get("redirect-uri"),
             }
             token = _post_for_token(registry=registry,
                                     user_data=user_data,
@@ -147,8 +158,8 @@ def _service_callback(registry: dict[str, Any],
                                     logger=logger)
             # retrieve the token's claims
             if not errors:
-                public_key: bytes = _get_public_key(registry=registry,
-                                                    logger=logger)
+                public_key: str = _get_public_key(registry=registry,
+                                                  logger=logger)
                 token_claims: dict[str, dict[str, Any]] = token_validate(token=token,
                                                                          issuer=registry["base-url"],
                                                                          public_key=public_key,
@@ -156,7 +167,8 @@ def _service_callback(registry: dict[str, Any],
                                                                          logger=logger)
                 if not errors:
                     token_user: str = token_claims["payload"].get("preferred_username")
-                    if token_user == oauth_state:
+                    login_id = user_data.pop("login-id", None)
+                    if not login_id or (login_id == token_user):
                         users[token_user] = user_data
                         result = (token_user, token)
                     else:
@@ -164,6 +176,9 @@ def _service_callback(registry: dict[str, Any],
     else:
         errors.append("Unknown state received")
 
+    if errors and logger:
+        logger.error(msg="; ".join(errors))
+
     return result
 
 
@@ -187,6 +202,7 @@ def _service_token(registry: dict[str, Any],
     user_data: dict[str, Any] = _get_user_data(registry=registry,
                                                user_id=user_id,
                                                logger=logger)
+    err_msg: str | None = None
     token: str = user_data["access-token"]
     if token:
         access_expiration: int = user_data.get("access-expiration")
@@ -197,41 +213,51 @@ def _service_token(registry: dict[str, Any],
             # access token has expired
             refresh_token: str = user_data["refresh-token"]
             if refresh_token:
-                body_data: dict[str, str] = {
-                    "grant_type": "refresh_token",
-                    "refresh_token": refresh_token
-                }
-                result = _post_for_token(registry=registry,
-                                         user_data=user_data,
-                                         body_data=body_data,
-                                         errors=errors,
-                                         logger=logger)
-
-    elif logger or isinstance(errors, list):
+                refresh_expiration = user_data["refresh-expiration"]
+                if now < refresh_expiration:
+                    body_data: dict[str, str] = {
+                        "grant_type": "refresh_token",
+                        "refresh_token": refresh_token
+                    }
+                    result = _post_for_token(registry=registry,
+                                             user_data=user_data,
+                                             body_data=body_data,
+                                             errors=errors,
+                                             logger=logger)
+                else:
+                    # refresh token has expired
+                    err_msg = "Access and refresh tokens expired"
+            else:
+                err_msg = "Access token expired, no refresh token available"
+    else:
+        err_msg = f"User '{user_id}' not authenticated"
+    
+    if err_msg and (logger or isinstance(errors, list)):
         err_msg: str = f"User '{user_id}' not authenticated"
         if isinstance(errors, list):
             errors.append(err_msg)
         if logger:
             logger.error(msg=err_msg)
+            logger.error(msg=err_msg)
 
     return result
 
 
 def _get_public_key(registry: dict[str, Any],
-                    logger: Logger | None) -> bytes:
+                    logger: Logger | None) -> str:
     """
     Obtain the public key used by the *IAM* to sign the authentication tokens.
 
     The public key is saved in *registry*.
 
     :param registry: the registry holding the authentication data
-    :return: the public key, in *DER* format
+    :return: the public key, in *PEM* format
     """
     # initialize the return variable
-    result: bytes | None = None
+    result: str | None = None
 
     now: int = int(datetime.now(tz=TZ_LOCAL).timestamp())
-    if now > registry["key-expiration"]:
+    if now > registry["pk-expiration"]:
         # obtain a new public key
         url: str = f"{registry["base-url"]}/protocol/openid-connect/certs"
         if logger:
@@ -243,10 +269,10 @@ def _get_public_key(registry: dict[str, Any],
                 logger.debug(msg=f"GET success, status {response.status_code}")
             reply: dict[str, Any] = response.json()
             result = crypto_jwk_convert(jwk=reply["keys"][0],
-                                        fmt="DER")
+                                        fmt="PEM")
             registry["public-key"] = result
-            duration: int = registry["key-lifetime"] or 0
-            registry["key-expiration"] = now + duration
+            lifetime: int = registry["pk-lifetime"] or 0
+            registry["pk-expiration"] = now + lifetime
         elif logger:
             msg: str = f"GET failure, status {response.status_code}, reason '{response.reason}'"
             if hasattr(response, "content") and response.content:
@@ -281,14 +307,15 @@ def _get_user_data(registry: dict[str, Any],
     :param registry: the registry holding the authentication data
     :return: the data for *user_id* in the registry
     """
-    cache: Cache = registry["safe-cache"]
+    cache: Cache = registry["cache"]
     users: dict[str, dict[str, Any]] = cache.get("users")
     result: dict[str, Any] = users.get(user_id)
     if not result:
         result = {
             "access-token": None,
             "refresh-token": None,
-            "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp())
+            "access-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
+            "refresh-expiration": sys.maxsize
         }
         users[user_id] = result
         if logger:
@@ -310,7 +337,7 @@ def _post_for_token(registry: dict[str, Any],
     For token exchange, *body_data* will have the attributes
         - "grant_type": "authorization_code"
         - "code": <16-character-random-code>
-        - "redirect_uri": <callback-url>
+        - "redirect_uri": <redirect-uri>
     For token refresh, *body_data* will have the attributes
         - "grant_type": "refresh_token"
         - "refresh_token": <current-refresh-token>
@@ -347,7 +374,8 @@ def _post_for_token(registry: dict[str, Any],
         #   "token_type": "Bearer",
         #   "access_token": <str>,
         #   "expires_in": <number-of-seconds>,
-        #   "refresh_token": <str>
+        #   "refresh_token": <str>,
+        #   "refesh_expires_in": <number-of-seconds>
         # }
         response: requests.Response = requests.post(url=url,
                                                     data=body_data)
@@ -361,6 +389,8 @@ def _post_for_token(registry: dict[str, Any],
             # on token refresh, keep current refresh token if a new one is not provided
             user_data["refresh-token"] = reply.get("refresh_token") or body_data.get("refresh_token")
             user_data["access-expiration"] = now + reply.get("expires_in")
+            refresh_expiration: int = user_data.get("refresh_expires_in")
+            user_data["refresh-expiration"] = (now + refresh_expiration) if refresh_expiration else sys.maxsize
         else:
             # request resulted in error
             err_msg = f"POST failure, status {response.status_code}, reason '{response.reason}'"

{pypomes_iam-0.2.5 → pypomes_iam-0.2.7}/src/pypomes_iam/iam_pomes.py

@@ -1,13 +1,12 @@
-from flask import Response, redirect, request, jsonify
+from flask import Response, request, jsonify
 from logging import Logger
 from typing import Any
 
-from .common_pomes import (
+from .iam_common import (
+    IAM_SERVERS, IamServer,
     _service_login, _service_logout,
     _service_callback, _service_token, _log_init
 )
-from .jusbr_pomes import _jusbr_get_logger, _jusbr_get_registry
-from .keycloak_pomes import _keycloak_get_logger, _keycloak_get_registry
 
 
 # @flask_app.route(rule=<login_endpoint>,  # JUSBR_LOGIN_ENDPOINT: /iam/jusbr:login
@@ -23,18 +22,18 @@ def service_login() -> Response:
     :return: the response from the redirect operation
     """
     # retrieve logger and registry
-    logger, registry = _get_iam_args(endpoint=request.endpoint)
+    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
+    logger: Logger = registry["logger"]
 
     # log the request
     if logger:
         logger.debug(msg=_log_init(request=request))
 
-    # obtain the redirect URL
-    auth_url: str = _service_login(registry=registry,
-                                   args=request.args,
-                                   logger=logger)
-    # redirect the request
-    result: Response = redirect(location=auth_url)
+    # obtain the login URL
+    login_data: dict[str,  str] = _service_login(registry=registry,
+                                                 args=request.args,
+                                                 logger=logger)
+    result = jsonify(login_data)
 
     # log the response
     if logger:
@@ -56,7 +55,8 @@ def service_logout() -> Response:
     :return: response *OK*
     """
     # retrieve logger and registry
-    logger, registry = _get_iam_args(endpoint=request.endpoint)
+    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
+    logger: Logger = registry["logger"]
 
     # log the request
     if logger:
@@ -84,10 +84,14 @@ def service_callback() -> Response:
     """
     Entry point for the callback from JusBR on authentication operation.
 
+    This callback is typically invoked from a front-end application after a successful login at the
+    JusBR login page, forwarding the data received.
+
     :return: the response containing the token, or *BAD REQUEST*
     """
     # retrieve logger and registry
-    logger, registry = _get_iam_args(endpoint=request.endpoint)
+    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
+    logger: Logger = registry["logger"]
 
     # log the request
     if logger:
@@ -126,7 +130,8 @@ def service_token() -> Response:
     :return: the response containing the token, or *UNAUTHORIZED*
     """
     # retrieve logger and registry
-    logger, registry = _get_iam_args(endpoint=request.endpoint)
+    registry: dict[str, Any] = __get_iam_registry(endpoint=request.endpoint)
+    logger: Logger = registry["logger"]
 
     # log the request
     if logger:
@@ -152,23 +157,20 @@ def service_token() -> Response:
     return result
 
 
-def _get_iam_args(endpoint: str) -> tuple[Logger, dict[str, Any]]:
+def __get_iam_registry(endpoint: str) -> dict[str, Any]:
     """
-    Retrieve the logger and registry associated the the IAM identifies by *endpoint*.
+    Retrieve the registry associated the the IAM identifies by *endpoint*.
 
     :param endpoint: the service enpoint identifying the IAM.
     :return: the tuple (*logger*, *registry*) associated with *endpoint*
     """
-    # initialize the return variables
-    result_logger: Logger | None = None
-    result_registry: dict[str, Any] | None = None
+    # initialize the return variable
+    result: dict[str, Any] | None = None
 
     if endpoint.startswith("jusbr-"):
-        result_logger = _jusbr_get_logger()
-        result_registry = _jusbr_get_registry()
+        result = IAM_SERVERS[IamServer.IAM_JUSRBR]
     elif endpoint.startswith("keycloak-"):
-        result_logger = _keycloak_get_logger()
-        result_registry = _keycloak_get_registry()
+        result = IAM_SERVERS[IamServer.IAM_KEYCLOAK]
 
-    return result_logger, result_registry
+    return result
 

{pypomes_iam-0.2.5 → pypomes_iam-0.2.7}/src/pypomes_iam/jusbr_pomes.py

@@ -7,7 +7,7 @@ from pypomes_core import (
 )
 from typing import Any, Final
 
-from .common_pomes import _service_token
+from .iam_common import IAM_SERVERS, IamServer, _service_token
 
 JUSBR_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_ID")
 JUSBR_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_CLIENT_SECRET")
@@ -25,36 +25,6 @@ JUSBR_ENDPOINT_TOKEN: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_ENDPOINT
 JUSBR_PUBLIC_KEY_LIFETIME: Final[int] = env_get_int(key=f"{APP_PREFIX}_JUSBR_PUBLIC_KEY_LIFETIME",
                                                     def_value=86400)  # 24 hours
 JUSBR_URL_AUTH_BASE: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_URL_AUTH_BASE")
-JUSBR_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_JUSBR_URL_AUTH_CALLBACK")
-
-# registry structure:
-# {
-#    "client-id": <str>,
-#    "client-secret": <str>,
-#    "client-timeout": <int>,
-#    "public_key": <str>,
-#    "key-lifetime": <int>,
-#    "key-expiration": <int>,
-#    "base-url": <str>,
-#    "callback-url": <str>,
-#    "safe-cache": <FIFOCache>
-# }
-# data in "safe-cache":
-# {
-#    "users": {
-#       "<user-id>": {
-#         "access-token": <str>
-#         "refresh-token": <str>
-#         "access-expiration": <timestamp>,
-#         "login-expiration": <timestamp>,   <-- transient
-#         "login-id": <str>,                 <-- transient
-#       }
-#    }
-# }
-_jusbr_registry: dict[str, Any] | None = None
-
-# dafault logger
-_jusbr_logger: Logger | None = None
 
 
 def jusbr_setup(flask_app: Flask,
@@ -67,7 +37,6 @@ def jusbr_setup(flask_app: Flask,
                 login_endpoint: str = JUSBR_ENDPOINT_LOGIN,
                 logout_endpoint: str = JUSBR_ENDPOINT_LOGOUT,
                 base_url: str = JUSBR_URL_AUTH_BASE,
-                callback_url: str = JUSBR_URL_AUTH_CALLBACK,
                 logger: Logger = None) -> None:
     """
     Configure the JusBR IAM.
@@ -84,27 +53,23 @@ def jusbr_setup(flask_app: Flask,
     :param login_endpoint: endpoint for redirecting user to JusBR login page
     :param logout_endpoint: endpoint for terminating user access to JusBR
     :param base_url: base URL to request the JusBR services
-    :param callback_url: URL for JusBR to callback on login
     :param logger: optional logger
     """
     from .iam_pomes import service_login, service_logout, service_callback, service_token
-    global _jusbr_logger, _jusbr_registry
-
-    # establish the logger
-    _jusbr_logger = logger
 
     # configure the JusBR registry
-    safe_cache: Cache = FIFOCache(maxsize=1048576)
-    safe_cache["users"] = {}
-    _jusbr_registry = {
+    cache: Cache = FIFOCache(maxsize=1048576)
+    cache["users"] = {}
+    IAM_SERVERS[IamServer.IAM_JUSRBR] = {
         "client-id": client_id,
         "client-secret": client_secret,
         "client-timeout": client_timeout,
         "base-url": base_url,
-        "callback-url": callback_url,
-        "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
-        "key-lifetime": public_key_lifetime,
-        "safe-cache": safe_cache
+        "pk-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
+        "pk-lifetime": public_key_lifetime,
+        "cache": cache,
+        "logger": logger,
+        "redirect-uri": None
     }
 
     # establish the endpoints
@@ -141,27 +106,9 @@ def jusbr_get_token(user_id: str,
     :param logger: optional logger
     :return: the uthentication tokem
     """
-    global _jusbr_registry
-
     # retrieve the token
     args: dict[str, Any] = {"user-id": user_id}
-    return _service_token(registry=_jusbr_registry,
+    return _service_token(registry=IAM_SERVERS[IamServer.IAM_JUSRBR],
                           args=args,
                           errors=errors,
                           logger=logger)
-
-
-def _jusbr_get_logger() -> Logger:
-    """
-    Retrieve the logger for JusBR operations.
-    :return: the Keycloak logger
-    """
-    return _jusbr_logger
-
-
-def _jusbr_get_registry() -> dict[str, Any]:
-    """
-    Retrieve the registry holding user authentication data related to JusBR operations.
-    :return: the Keycloak registry
-    """
-    return _jusbr_registry

{pypomes_iam-0.2.5 → pypomes_iam-0.2.7}/src/pypomes_iam/keycloak_pomes.py

@@ -7,7 +7,7 @@ from pypomes_core import (
 )
 from typing import Any, Final
 
-from .common_pomes import _service_token
+from .iam_common import IAM_SERVERS, IamServer, _service_token
 
 KEYCLOAK_CLIENT_ID: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_ID")
 KEYCLOAK_CLIENT_SECRET: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_CLIENT_SECRET")
@@ -26,36 +26,6 @@ KEYCLOAK_PUBLIC_KEY_LIFETIME: Final[int] = env_get_int(key=f"{APP_PREFIX}_KEYCLO
                                                        def_value=86400)  # 24 hours
 KEYCLOAK_REALM: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_REALM")
 KEYCLOAK_URL_AUTH_BASE: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_BASE")
-KEYCLOAK_URL_AUTH_CALLBACK: Final[str] = env_get_str(key=f"{APP_PREFIX}_KEYCLOAK_URL_AUTH_CALLBACK")
-
-# registry structure:
-# {
-#    "client-id": <str>,
-#    "client-secret": <str>,
-#    "client-timeout": <int>,
-#    "public_key": <str>,
-#    "key-lifetime": <int>,
-#    "key-expiration": <int>,
-#    "base-url": <str>,
-#    "callback-url": <str>,
-#    "safe-cache": <FIFOCache>
-# }
-# data in "safe-cache":
-# {
-#    "users": {
-#       "<user-id>": {
-#         "access-token": <str>
-#         "refresh-token": <str>
-#         "access-expiration": <timestamp>,
-#         "login-expiration": <timestamp>,   <-- transient
-#         "login-id": <str>,                 <-- transient
-#       }
-#    }
-# }
-_keycloak_registry: dict[str, Any] = {}
-
-# dafault logger
-_keycloak_logger: Logger | None = None
 
 
 def keycloak_setup(flask_app: Flask,
@@ -69,7 +39,6 @@ def keycloak_setup(flask_app: Flask,
                    login_endpoint: str = KEYCLOAK_ENDPOINT_LOGIN,
                    logout_endpoint: str = KEYCLOAK_ENDPOINT_LOGOUT,
                    base_url: str = KEYCLOAK_URL_AUTH_BASE,
-                   callback_url: str = KEYCLOAK_URL_AUTH_CALLBACK,
                    logger: Logger = None) -> None:
     """
     Configure the Keycloak IAM.
@@ -87,27 +56,23 @@ def keycloak_setup(flask_app: Flask,
     :param login_endpoint: endpoint for redirecting user to JusBR login page
     :param logout_endpoint: endpoint for terminating user access to JusBR
     :param base_url: base URL to request the JusBR services
-    :param callback_url: URL for Keycloak to callback on login
     :param logger: optional logger
     """
     from .iam_pomes import service_login, service_logout, service_callback, service_token
-    global _keycloak_logger, _keycloak_registry
-
-    # establish the logger
-    _keycloak_logger = logger
 
-    # configure the JusBR registry
-    safe_cache: Cache = FIFOCache(maxsize=1048576)
-    safe_cache["users"] = {}
-    _keycloak_registry = {
+    # configure the Keycloak registry
+    cache: Cache = FIFOCache(maxsize=1048576)
+    cache["users"] = {}
+    IAM_SERVERS[IamServer.IAM_KEYCLOAK] = {
         "client-id": client_id,
         "client-secret": client_secret,
         "client-timeout": client_timeout,
         "base-url": f"{base_url}/realms/{realm}",
-        "callback-url": callback_url,
-        "key-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
-        "key-lifetime": public_key_lifetime,
-        "safe-cache": safe_cache
+        "pk-expiration": int(datetime.now(tz=TZ_LOCAL).timestamp()),
+        "pk-lifetime": public_key_lifetime,
+        "cache": cache,
+        logger: logger,
+        "redirect-uri": None
     }
 
     # establish the endpoints
@@ -144,27 +109,9 @@ def keycloak_get_token(user_id: str,
     :param logger: optional logger
     :return: the uthentication tokem
     """
-    global _keycloak_registry
-
     # retrieve the token
     args: dict[str, Any] = {"user-id": user_id}
-    return _service_token(registry=_keycloak_registry,
+    return _service_token(registry=IAM_SERVERS[IamServer.IAM_KEYCLOAK],
                           args=args,
                           errors=errors,
                           logger=logger)
-
-
-def _keycloak_get_logger() -> Logger:
-    """
-    Retrieve the logger for Keycloak operations.
-    :return: the Keycloak logger
-    """
-    return _keycloak_logger
-
-
-def _keycloak_get_registry() -> dict[str, Any]:
-    """
-    Retrieve the registry holding user authentication data related to Keycloak operations.
-    :return: the Keycloak registry
-    """
-    return _keycloak_registry

{pypomes_iam-0.2.5 → pypomes_iam-0.2.7}/src/pypomes_iam/token_pomes.py

@@ -58,8 +58,11 @@ def token_validate(token: str,
     # validate the token
     if not errors:
         token_alg: str = token_header.get("alg")
+        require: list[str] = ["exp", "iat"]
+        if issuer:
+            require.append("iss")
         options: dict[str, Any] = {
-            "require": ["exp", "iat"],
+            "require": require,
             "verify_aud": False,
             "verify_exp": True,
             "verify_iat": True,